Intlayer MCP server — agentic threat model
The Intlayer MCP server presents a moderate-to-high risk profile due to its local execution environment and integration with IDE CLI tools, making it susceptible to prompt injection attacks via malicious project files that could lead to unauthorized local command execution.
OWASP AIVSS score rationale
| Autonomy of Action | 0.30 | |
| Goal-Driven Planning | 0.10 | |
| Self-Modification | 0.00 | |
| Dynamic Tool Use | 0.40 | |
| Persistent Memory | 0.10 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.00 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.40 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The listing does not specify which underlying LLM is used, as it connects via MCP to the host IDE's model. However, threats include prompt injection via malicious project files or poisoned local documentation leading to malicious CLI command suggestions.
The agent dynamically loads local project files, Intlayer versions, and documentation. Threats include data poisoning if a malicious repository contains manipulated Intlayer documentation or configuration files, leading to incorrect or malicious code suggestions.
Uses the Model Context Protocol (MCP) to integrate with IDEs. Threats include insecure tool integration where the MCP server exposes CLI execution tools ('run intlayer commands') that could be abused via prompt injection to execute arbitrary local commands.
Runs locally via 'npx @intlayer/mcp' within the user's IDE (Cursor/VS Code) without a dedicated server. Threats include local host compromise if the MCP server process is exploited, as it runs with the developer's local user privileges.
Not certain from the listing — The listing does not mention any built-in logging, guardrails, or evaluation mechanisms for monitoring the safety of generated CLI commands or code suggestions.
Not certain from the listing — There is no mention of authentication, authorization, or compliance audits. It relies entirely on the host IDE's security posture and local file permissions.
Not certain from the listing — While it operates as an MCP server (which is an ecosystem protocol), there is no explicit mention of multi-agent orchestration or marketplace interactions.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.